Cross-Platform Java Sandbox Exploit 382
DrWho520 points out this report at silicon.com which begins "A flaw in Sun's plug-in for running Java on a variety of browsers and operating systems could allow a virus to spread through Microsoft Windows and Linux PCs. The vulnerability, found by Finnish security researcher Jouko Pynnonen in June, was patched last month by Sun, but its details were not made public until Tuesday." The hole affects Linux and Windows.
Re:Makes me wonder... (Score:5, Informative)
...Or better, since Java runs in a (relatively) secure sandbox. It's worth noting, from the article [silicon.com], that there hasn't to date been a single Java virus. This is bad, but it has to get a lot worse before comparison with ActiveX is warranted.
Re:At least... (Score:1, Informative)
Re:At least... (Score:1, Informative)
Opera not affected (Score:3, Informative)
Re:Windows and Linux? (Score:5, Informative)
http://antivirus.about.com/library/weekly/aa03280
http://www.itworld.com/AppDev/1312/IWD010328hnvir
looks like this has been happening since 2001 according to the itworld article (look at the date in the upper left hand corner.)
the only thing that has changed is the vector of infection. There was also a
WARNING! (Score:1, Informative)
Be sure to get the right one from java.sun.com/j2se
Re:Opera not affected (Score:5, Informative)
More detailed info ... (Score:3, Informative)
java.com still offering BAD version (Score:4, Informative)
Version 1.5.0 is available from java.sun.com [sun.com].
WAKE UP SUN!
Java language != Java Sandbox (Score:2, Informative)
Re:No root privilege escalation (Score:2, Informative)
BFD. Most machines that are used for surfing the web are single user machines and having that users stuff trashed is the same as trashing the whole machine.
Re:java.com still offering BAD version (Score:4, Informative)
Re:Where's the patch? (Score:3, Informative)
Auto-update does not seem to work (yet?) (Score:2, Informative)
Sadly, the "Update Now" button in my J2SE 1.4.2_05 RE Plug-in Control Panel still informs me that I already have the latest version installed. You'll probably have to update manually, for now.
Another thing: the auto-update timer in that same Control Panel is set to go off once a month by default. You might want to turn that up a notch for fixes like these.
Re:Java == Platform (Score:3, Informative)
There are other Java runtimes, which are allowed to use the name Java because they pass the conformance tests (such as IBM's Java runtime), they would not be vulnerable to this exploit.
Re:Not that critical.. (Score:4, Informative)
Re:Windows and Linux? (Score:2, Informative)
I found this one [slashdot.org]this one using "cross-platform virus site:slashdot.org [google.be]".
Re:Java *IS* OPEN SOURCE (Score:2, Informative)
Patches [java.net]
Re:No root privilege escalation (Score:3, Informative)
The difference is that running as a non-admin on Windows is a huge pain, as many programs don't play nicely with non-admin accounts. Windows has a huge legacy of "one user per machine" thinking in its applications development history.
That means that many apps will not run well under non-admin accounts on Windows. Try it sometime and see. Talk to any tech-support person and ask what fraction of calls they get due to people trying to run under non-admin accounts (there's been a spate of this lately as folks upgrade to SP 2 and decide to get a bit more serious about security.)
In comparison, I've run Unix of one kind or another since the 80's and have never had to be root to do anything other than install software or do configuration stuff.
--Tom
Mac (Score:4, Informative)
Anyone else try this on the mac and have similar results?
Re:Windows and Linux? (Score:3, Informative)
For at least a decade there have been "Windows-based systems" with file system access control much more sophisticated than anything offered by Linux (at least in typical configurations using rwxrwxrwx style permissions) even today.
Not to say the hard shell on most Windows systems doesn't more closely resemble swiss cheese, but you don't need to resort to inaccurate statements to make that case.
Re:there have been lots of those before (Score:1, Informative)
Found in April not June (Score:3, Informative)
But according to the Bugtraq posting [neohapsis.com] Sun Microsystems was informed on April 29, 2004.
I was hit last night by this exploit (Score:3, Informative)
Last night, while sitting at my machine, I noticed a Java icon appear in my taskbar. "That's wierd," I thought, "I'm not doing anything or hitting any pages that should need the JRE." Since I don't use the JRE much anymore (I installed it while testing a java-based web server) I went to "Add/Remove Programs" and uninstalled j2re-1.4.2_05.
Too late. This morning I browsed to Slashdot and saw the parent article telling me why the Java icon had popped up.
Whatever payload the thing delivered appears to have punched a hole in Norton AntiVirus (the Norton Firewall console is reporting that Norton AntiVirus requires "Urgent Attention" but the annunciator on the AntiVirus tab appears to have been disabled in an effort to hide whatever was done to the AntiVirus). It may also have installed the bat/mumu-a worm (one spyware scanner is reporting an infection by the worm, but Symmantec's bat/mumu-a removal tool reports the machine is clean).
Once a drive has been compromised by something more complicated than a simple virus, there's no way you can ever trust the machine again because there is no way to know what sort of rootkit the exploit delivered.
I've already disconnected the machine from my network and picked up a new hard drive. The old hard drives will go into an external drive housing that I'll only connect to the machine (a) after I have antivirus software reinstalled and (b) only if I absolutely have to pull data from the drive.
"Not that critical" hah! This is by far the most serious attack I've ever been hit with, and I downloaded j2re-1.4.2_05 at most two months ago (elsewhere in the comments someone is reporting that j2re-1.4.2_05 is still available for download from sun.com, I can't confirm that but this is hardly an antiquated version).
There goes my day...
-Don
Incorrect (Score:1, Informative)
No. That's incorrect. It's neither function of the browser (by definition, plug-in is an extension that's not part of browser core), NOR function of the language or its runtime. It's because of Sun's Java plug-ing. So don't go thrashing the language or VM, even if they come from the same company as the plug-in in question.
There's nothing wrong with Java the language or its runtime that fundamentally causes problems like this.